From ec873e2dc38af51d7da41d65fb28a1daf707b557 Mon Sep 17 00:00:00 2001 From: benrubson <6764151+benrubson@users.noreply.github.com> Date: Thu, 5 Nov 2020 23:56:30 +0100 Subject: [PATCH 1/2] Add SoftEtherVPN jail --- ChangeLog | 1 + config/filter.d/softethervpn.conf | 9 +++++++++ config/jail.conf | 5 +++++ fail2ban/tests/files/logs/softethervpn | 7 +++++++ 4 files changed, 22 insertions(+) create mode 100644 config/filter.d/softethervpn.conf create mode 100644 fail2ban/tests/files/logs/softethervpn diff --git a/ChangeLog b/ChangeLog index c3e2c6d4..d1aa66c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -71,6 +71,7 @@ ver. 0.10.6-dev (20??/??/??) - development edition * parsing of action in jail-configs considers space between action-names as separator also (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b` * new filter and jail for GitLab recognizing failed application logins (gh-2689) +* new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723) * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631) * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex; * datetemplate: improved anchor detection for capturing groups `(^...)`; diff --git a/config/filter.d/softethervpn.conf b/config/filter.d/softethervpn.conf new file mode 100644 index 00000000..0cbf5c94 --- /dev/null +++ b/config/filter.d/softethervpn.conf @@ -0,0 +1,9 @@ +# Fail2Ban filter for SoftEtherVPN +# Detecting unauthorized access to SoftEtherVPN +# typically logged in /usr/local/vpnserver/security_log/*/sec.log, or in syslog, depending on configuration + +[INCLUDES] +before = common.conf + +[Definition] +failregex = ^%(__prefix_line)s(?:\([0-9 :.-]{23}\) :)? Connection ".+": User authentication failed. The user name that has been provided was ".+", from .$ diff --git a/config/jail.conf b/config/jail.conf index 8fbd23a1..67f39e40 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -820,6 +820,11 @@ udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010 action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"] +[softethervpn] +port = 500,4500 +protocol = udp +logpath = /usr/local/vpnserver/security_log/*/sec.log + [gitlab] port = http,https logpath = /var/log/gitlab/gitlab-rails/application.log diff --git a/fail2ban/tests/files/logs/softethervpn b/fail2ban/tests/files/logs/softethervpn new file mode 100644 index 00000000..dd2a798b --- /dev/null +++ b/fail2ban/tests/files/logs/softethervpn @@ -0,0 +1,7 @@ +# Access of unauthorized host in /usr/local/vpnserver/security_log/*/sec.log +# failJSON: { "time": "2020-05-12T10:53:19", "match": true , "host": "80.10.11.12" } +2020-05-12 10:53:19.781 Connection "CID-72": User authentication failed. The user name that has been provided was "bob", from 80.10.11.12. + +# Access of unauthorized host in syslog +# failJSON: { "time": "2020-05-13T10:53:19", "match": true , "host": "80.10.11.13" } +2020-05-13T10:53:19 localhost [myserver.com/VPN/defaultvpn] (2020-05-13 10:53:19.591) : Connection "CID-594": User authentication failed. The user name that has been provided was "alice", from 80.10.11.13. From 010e76406fd2aac83b8cf6da27e9d380cc75dad4 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Mon, 9 Nov 2020 13:19:25 +0100 Subject: [PATCH 2/2] small tweaks (both 2nd time and facility are optional, avoid catch-all, etc) --- config/filter.d/softethervpn.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/softethervpn.conf b/config/filter.d/softethervpn.conf index 0cbf5c94..f7e7c0c3 100644 --- a/config/filter.d/softethervpn.conf +++ b/config/filter.d/softethervpn.conf @@ -6,4 +6,4 @@ before = common.conf [Definition] -failregex = ^%(__prefix_line)s(?:\([0-9 :.-]{23}\) :)? Connection ".+": User authentication failed. The user name that has been provided was ".+", from .$ +failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "(?:[^"]+|.+)", from \.$